Ingress Product Security Update Advisory (CVE-2024-7646)

Aug 21 2024

Overview

An update has been released to address vulnerabilities in the Ingress products. Users of the affected versions are advised to update to the latest version.

Affected Products

CVE-2024-7646

ingress-nginx controller version: ~ 1.11.2 (excluded)
ingress-nginx controller version: ~ 1.10.4 (excluded)

Resolved Vulnerabilities

. An actor with permission to create Ingress objects (`networking.k8s.io` or `extensions` API group) could bypass comment validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller (CVE-2024-7646)

Vulnerability Patches

The following product-specific vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-7646

ingress-nginx controller version: 1.11.2
ingress-nginx controller version: 1.10.4

References

[1] CVE-2024-7646 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-7646

[2] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass

https://github.com/kubernetes/kubernetes/issues/126744

Ingress Product Security Update Advisory (CVE-2024-7646)

August 2024 Security Update Advisory for Atlassian Products

GitHub Enterprise Server (GHES) Product Security Update Advisory (CVE-2024-6800)